cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28/10/2022, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe
Size

5.2MB
MD5

0c93412e943657c187b25874d264175d
SHA1

94ba0646a5f31df3c9cb7973aa92c5506f423cb8
SHA256

cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911
SHA512

eb604cebb21edeb1f444c1ce7a527077ea5c6315fb8c80c354706eef0d842377cda61aaaa1332e6bde1a922fb6c716efd29193e1ee5cbc6ef4a6c7bd53e8c567
SSDEEP

24576:/DyTFtjSDyTFtjZDyTFtjSDyTFtjeDyTFtjtDyTFtjSDyTFtjfDyTFtjSDyTFtjq:YtztCtztHtGtzt8tztHtGtzt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1628	tmp7116235.exe
1520	tmp7116453.exe
856	tmp7116765.exe
896	tmp7118325.exe
2028	tmp7119105.exe
472	tmp7119511.exe
1912	tmp7119994.exe
928	tmp7120213.exe
888	notpad.exe
1060	tmp7120712.exe
1736	tmp7120899.exe
920	notpad.exe
1332	tmp7121227.exe
1640	notpad.exe
1940	tmp7121352.exe
1864	tmp7121461.exe
1704	notpad.exe
1552	tmp7121539.exe
2024	tmp7121648.exe
1516	tmp7121866.exe
1404	notpad.exe
1680	tmp7121991.exe
1152	tmp7122038.exe
976	notpad.exe
896	tmp7122178.exe
336	notpad.exe
1616	tmp7122210.exe
964	tmp7122256.exe
364	tmp7122319.exe
1768	notpad.exe
1548	tmp7122475.exe
852	tmp7122943.exe
1232	notpad.exe
1728	tmp7123068.exe
888	tmp7123083.exe
1504	notpad.exe
1668	tmp7123192.exe
1992	tmp7123255.exe
1608	notpad.exe
1636	tmp7123395.exe
580	tmp7123426.exe
920	notpad.exe
1988	tmp7123598.exe
1056	notpad.exe
1760	tmp7123614.exe
1612	tmp7123723.exe
1564	tmp7124706.exe
1600	notpad.exe
1624	tmp7124862.exe
2044	tmp7124877.exe
1696	notpad.exe
1520	tmp7124971.exe
524	tmp7125018.exe
1272	notpad.exe
320	tmp7125174.exe
976	tmp7126281.exe
860	notpad.exe
336	tmp7158105.exe
964	notpad.exe
1916	tmp7158651.exe
1528	tmp7159587.exe
1144	tmp7160555.exe
1976	notpad.exe
1476	tmp7160804.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2044-54-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a0000000122e9-60.dat	upx
behavioral1/files/0x000a0000000122e9-61.dat	upx
behavioral1/files/0x000a0000000122e9-63.dat	upx
behavioral1/files/0x000a0000000122e9-64.dat	upx
behavioral1/memory/1520-67-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2044-68-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122eb-74.dat	upx
behavioral1/files/0x00090000000122eb-75.dat	upx
behavioral1/files/0x00090000000122eb-77.dat	upx
behavioral1/memory/1520-78-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000122eb-79.dat	upx
behavioral1/memory/896-85-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000122f7-86.dat	upx
behavioral1/files/0x00080000000122f7-87.dat	upx
behavioral1/memory/896-90-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000122f7-89.dat	upx
behavioral1/files/0x00080000000122f7-91.dat	upx
behavioral1/memory/472-102-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0009000000012307-103.dat	upx
behavioral1/files/0x0009000000012307-105.dat	upx
behavioral1/files/0x0009000000012307-107.dat	upx
behavioral1/files/0x0009000000012307-108.dat	upx
behavioral1/files/0x00080000000122ff-114.dat	upx
behavioral1/memory/888-121-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0009000000012307-123.dat	upx
behavioral1/files/0x0009000000012307-122.dat	upx
behavioral1/files/0x0009000000012307-125.dat	upx
behavioral1/files/0x00080000000122ff-131.dat	upx
behavioral1/files/0x0009000000012307-134.dat	upx
behavioral1/files/0x0009000000012307-135.dat	upx
behavioral1/files/0x0009000000012307-137.dat	upx
behavioral1/memory/920-141-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000122ff-148.dat	upx
behavioral1/files/0x0009000000012307-151.dat	upx
behavioral1/files/0x0009000000012307-152.dat	upx
behavioral1/files/0x0009000000012307-154.dat	upx
behavioral1/memory/1640-158-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1704-156-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1640-159-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1704-166-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1404-170-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/976-178-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/336-182-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1768-189-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1232-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1504-200-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1608-206-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/920-215-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1056-219-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1600-226-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1696-231-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1272-233-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1272-235-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1272-238-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/860-242-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/860-247-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/964-248-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/964-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1976-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1976-260-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/544-262-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1480-265-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1608-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
2044	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe
2044	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe
2044	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe
2044	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe
1520	tmp7116453.exe
1520	tmp7116453.exe
1520	tmp7116453.exe
1520	tmp7116453.exe
896	tmp7118325.exe
896	tmp7118325.exe
896	tmp7118325.exe
896	tmp7118325.exe
472	tmp7119511.exe
472	tmp7119511.exe
472	tmp7119511.exe
472	tmp7119511.exe
856	tmp7116765.exe
856	tmp7116765.exe
888	notpad.exe
888	notpad.exe
888	notpad.exe
1060	tmp7120712.exe
1060	tmp7120712.exe
920	notpad.exe
920	notpad.exe
1332	tmp7121227.exe
1332	tmp7121227.exe
920	notpad.exe
1640	notpad.exe
1640	notpad.exe
1864	tmp7121461.exe
1864	tmp7121461.exe
1640	notpad.exe
1704	notpad.exe
1704	notpad.exe
1704	notpad.exe
2024	tmp7121648.exe
2024	tmp7121648.exe
1404	notpad.exe
1404	notpad.exe
1404	notpad.exe
1680	tmp7121991.exe
1680	tmp7121991.exe
976	notpad.exe
976	notpad.exe
896	tmp7122178.exe
896	tmp7122178.exe
976	notpad.exe
336	notpad.exe
336	notpad.exe
336	notpad.exe
964	tmp7122256.exe
964	tmp7122256.exe
1768	notpad.exe
1768	notpad.exe
1768	notpad.exe
1548	tmp7122475.exe
1548	tmp7122475.exe
1232	notpad.exe
1232	notpad.exe
1232	notpad.exe
1728	tmp7123068.exe
1728	tmp7123068.exe
1504	notpad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7166483.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7168776.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7202550.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7203611.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7205046.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7207901.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7213923.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7166249.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7158105.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7206902.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7168604.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7159587.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7166046.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7167699.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7202862.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7207979.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7212581.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7123068.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7122178.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7122256.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7168776.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7205779.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7213735.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7121227.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7121991.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7125174.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7166046.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7205046.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7207979.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7213923.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7116765.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7165047.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7167699.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7202550.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7203611.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7123068.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7123598.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7124971.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7164813.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7123192.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7160804.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7166483.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7168776.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7206902.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7207901.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7207979.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7213954.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7124971.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7165047.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7122475.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7121227.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7121648.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7123395.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7123395.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7158105.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7164813.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7116765.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7166654.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7168401.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7168604.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7212581.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7166249.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7163784.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7165047.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7123192.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7158105.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7121461.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7124971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7163784.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7165047.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7167699.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7168401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7121991.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7166249.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7125174.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7166654.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7168214.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7205779.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7168604.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7205046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7202550.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7203611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7120712.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7159587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7167980.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7123068.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7160804.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7167419.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7209102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7210740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7121227.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7164299.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7207901.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7213735.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7122178.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7122475.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7123723.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7124862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7203970.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7212581.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7164579.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7202862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7123598.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7164065.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7166046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7213923.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7123395.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7166483.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7116765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7164813.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7168776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7168963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7121648.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7122256.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7202332.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7206902.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7207979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7213954.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1628	2044	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe	28
PID 2044 wrote to memory of 1628	2044	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe	28
PID 2044 wrote to memory of 1628	2044	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe	28
PID 2044 wrote to memory of 1628	2044	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe	28
PID 2044 wrote to memory of 1520	2044	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe	29
PID 2044 wrote to memory of 1520	2044	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe	29
PID 2044 wrote to memory of 1520	2044	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe	29
PID 2044 wrote to memory of 1520	2044	cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe	29
PID 1520 wrote to memory of 856	1520	tmp7116453.exe	30
PID 1520 wrote to memory of 856	1520	tmp7116453.exe	30
PID 1520 wrote to memory of 856	1520	tmp7116453.exe	30
PID 1520 wrote to memory of 856	1520	tmp7116453.exe	30
PID 1520 wrote to memory of 896	1520	tmp7116453.exe	31
PID 1520 wrote to memory of 896	1520	tmp7116453.exe	31
PID 1520 wrote to memory of 896	1520	tmp7116453.exe	31
PID 1520 wrote to memory of 896	1520	tmp7116453.exe	31
PID 896 wrote to memory of 2028	896	tmp7118325.exe	32
PID 896 wrote to memory of 2028	896	tmp7118325.exe	32
PID 896 wrote to memory of 2028	896	tmp7118325.exe	32
PID 896 wrote to memory of 2028	896	tmp7118325.exe	32
PID 896 wrote to memory of 472	896	tmp7118325.exe	33
PID 896 wrote to memory of 472	896	tmp7118325.exe	33
PID 896 wrote to memory of 472	896	tmp7118325.exe	33
PID 896 wrote to memory of 472	896	tmp7118325.exe	33
PID 472 wrote to memory of 1912	472	tmp7119511.exe	34
PID 472 wrote to memory of 1912	472	tmp7119511.exe	34
PID 472 wrote to memory of 1912	472	tmp7119511.exe	34
PID 472 wrote to memory of 1912	472	tmp7119511.exe	34
PID 472 wrote to memory of 928	472	tmp7119511.exe	35
PID 472 wrote to memory of 928	472	tmp7119511.exe	35
PID 472 wrote to memory of 928	472	tmp7119511.exe	35
PID 472 wrote to memory of 928	472	tmp7119511.exe	35
PID 856 wrote to memory of 888	856	tmp7116765.exe	36
PID 856 wrote to memory of 888	856	tmp7116765.exe	36
PID 856 wrote to memory of 888	856	tmp7116765.exe	36
PID 856 wrote to memory of 888	856	tmp7116765.exe	36
PID 888 wrote to memory of 1060	888	notpad.exe	37
PID 888 wrote to memory of 1060	888	notpad.exe	37
PID 888 wrote to memory of 1060	888	notpad.exe	37
PID 888 wrote to memory of 1060	888	notpad.exe	37
PID 888 wrote to memory of 1736	888	notpad.exe	38
PID 888 wrote to memory of 1736	888	notpad.exe	38
PID 888 wrote to memory of 1736	888	notpad.exe	38
PID 888 wrote to memory of 1736	888	notpad.exe	38
PID 1060 wrote to memory of 920	1060	tmp7120712.exe	39
PID 1060 wrote to memory of 920	1060	tmp7120712.exe	39
PID 1060 wrote to memory of 920	1060	tmp7120712.exe	39
PID 1060 wrote to memory of 920	1060	tmp7120712.exe	39
PID 920 wrote to memory of 1332	920	notpad.exe	40
PID 920 wrote to memory of 1332	920	notpad.exe	40
PID 920 wrote to memory of 1332	920	notpad.exe	40
PID 920 wrote to memory of 1332	920	notpad.exe	40
PID 1332 wrote to memory of 1640	1332	tmp7121227.exe	41
PID 1332 wrote to memory of 1640	1332	tmp7121227.exe	41
PID 1332 wrote to memory of 1640	1332	tmp7121227.exe	41
PID 1332 wrote to memory of 1640	1332	tmp7121227.exe	41
PID 920 wrote to memory of 1940	920	notpad.exe	42
PID 920 wrote to memory of 1940	920	notpad.exe	42
PID 920 wrote to memory of 1940	920	notpad.exe	42
PID 920 wrote to memory of 1940	920	notpad.exe	42
PID 1640 wrote to memory of 1864	1640	notpad.exe	43
PID 1640 wrote to memory of 1864	1640	notpad.exe	43
PID 1640 wrote to memory of 1864	1640	notpad.exe	43
PID 1640 wrote to memory of 1864	1640	notpad.exe	43

C:\Users\Admin\AppData\Local\Temp\cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe
"C:\Users\Admin\AppData\Local\Temp\cead255bdfb3e6a5ab4b5a24de9b0b632a6a630c17bec6df6e5de58203738911.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\tmp7116235.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7116235.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\tmp7116453.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7116453.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\tmp7116765.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7116765.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Users\Admin\AppData\Local\Temp\tmp7120712.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120712.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121227.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121227.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121461.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121461.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121648.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121648.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121991.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121991.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122178.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122178.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122256.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122256.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122475.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122475.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123068.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123068.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123192.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123192.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123395.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123395.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123598.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123598.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123723.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123723.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124862.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124862.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124971.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124971.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        Executes dropped EXE
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125174.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125174.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158105.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158105.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159587.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159587.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160804.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160804.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163784.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163784.exe
        43⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164065.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164065.exe
        45⤵
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164299.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164299.exe
        47⤵
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164579.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164579.exe
        49⤵
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164813.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164813.exe
        51⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165047.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165047.exe
        53⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166046.exe
        55⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166249.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166249.exe
        57⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166483.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166483.exe
        59⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166654.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166654.exe
        61⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167419.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167419.exe
        63⤵
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167699.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167699.exe
        65⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167980.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167980.exe
        67⤵
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168214.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168214.exe
        69⤵
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168401.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168401.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168604.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168604.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168776.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168776.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168963.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168963.exe
        77⤵
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        78⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202332.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202332.exe
        79⤵
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        80⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202550.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202550.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        82⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202862.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202862.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203611.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203611.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        86⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204235.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204235.exe
        87⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204859.exe
        87⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205186.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205186.exe
        88⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205654.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205654.exe
        88⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203704.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203704.exe
        85⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203970.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203970.exe
        86⤵
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        87⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205046.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        89⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205998.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205998.exe
        90⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206544.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206544.exe
        90⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207152.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207152.exe
        91⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207277.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207277.exe
        91⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205140.exe
        88⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205779.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205779.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        90⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206902.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206902.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        92⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207901.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207901.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        94⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209102.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209102.exe
        95⤵
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        96⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210522.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210522.exe
        97⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211785.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211785.exe
        97⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212394.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212394.exe
        98⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213486.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213486.exe
        98⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209633.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209633.exe
        95⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210631.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210631.exe
        96⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211879.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211879.exe
        96⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208275.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208275.exe
        93⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208915.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208915.exe
        94⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209227.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209227.exe
        94⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207183.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207183.exe
        91⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207979.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207979.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210023.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210023.exe
        94⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210397.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210397.exe
        94⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210740.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210740.exe
        95⤵
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        96⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212581.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212581.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        98⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213735.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213735.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213954.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213954.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        102⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230521.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230521.exe
        103⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230739.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230739.exe
        103⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231114.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231114.exe
        104⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228181.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228181.exe
        101⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228867.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228867.exe
        102⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230755.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230755.exe
        102⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213782.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213782.exe
        99⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213923.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213923.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        101⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214079.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214079.exe
        102⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228665.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228665.exe
        102⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230100.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230100.exe
        103⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        104⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231613.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231613.exe
        105⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        106⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232331.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232331.exe
        107⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232409.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232409.exe
        107⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233547.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233547.exe
        108⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233033.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233033.exe
        108⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231707.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231707.exe
        105⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232393.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232393.exe
        106⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233438.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233438.exe
        108⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233563.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233563.exe
        108⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232487.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232487.exe
        106⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230427.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230427.exe
        103⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214016.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214016.exe
        100⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213470.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213470.exe
        97⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213611.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213611.exe
        98⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213657.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213657.exe
        98⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211754.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211754.exe
        95⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208650.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208650.exe
        92⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205982.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205982.exe
        89⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204094.exe
        86⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203049.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203049.exe
        83⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203377.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203377.exe
        84⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203782.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203782.exe
        84⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202737.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202737.exe
        81⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202893.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202893.exe
        82⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202971.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202971.exe
        82⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202347.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202347.exe
        79⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170258.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170258.exe
        77⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168791.exe
        75⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168620.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168620.exe
        73⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168433.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168433.exe
        71⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168245.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168245.exe
        69⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168027.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168027.exe
        67⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236418.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236418.exe
        68⤵
        
        PID:964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237135.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237135.exe
        67⤵
        
        PID:668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240412.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240412.exe
        69⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253765.exe
        71⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255918.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255918.exe
        73⤵
        
        PID:336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7256870.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7256870.exe
        73⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254358.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254358.exe
        71⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255450.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7255450.exe
        72⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7256183.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7256183.exe
        72⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7252798.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7252798.exe
        69⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253547.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7253547.exe
        70⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254327.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7254327.exe
        70⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237369.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237369.exe
        67⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238149.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238149.exe
        68⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240115.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240115.exe
        68⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167777.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167777.exe
        65⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167465.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167465.exe
        63⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233906.exe
        64⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233813.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233813.exe
        64⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167263.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167263.exe
        61⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233922.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233922.exe
        62⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234281.exe
        62⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234733.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234733.exe
        63⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236543.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236543.exe
        65⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237182.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237182.exe
        66⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237962.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237962.exe
        66⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234827.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234827.exe
        63⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166498.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166498.exe
        59⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166264.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166264.exe
        57⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166061.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166061.exe
        55⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165734.exe
        53⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164876.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164876.exe
        51⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164704.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164704.exe
        49⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164377.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164377.exe
        47⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164189.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164189.exe
        45⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163831.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163831.exe
        43⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163066.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163066.exe
        41⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160555.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160555.exe
        39⤵
        Executes dropped EXE
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158651.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158651.exe
        37⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126281.exe
        35⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125018.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125018.exe
        33⤵
        Executes dropped EXE
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124877.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124877.exe
        31⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124706.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124706.exe
        29⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123614.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123614.exe
        27⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123426.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123426.exe
        25⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123255.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123255.exe
        23⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123083.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123083.exe
        21⤵
        Executes dropped EXE
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122943.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122943.exe
        19⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122319.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122319.exe
        17⤵
        Executes dropped EXE
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122210.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122210.exe
        15⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122038.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122038.exe
        13⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121866.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121866.exe
        11⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121539.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121539.exe
        9⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121352.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121352.exe
        7⤵
        Executes dropped EXE
        
        PID:1940
    - - C:\Users\Admin\AppData\Local\Temp\tmp7120899.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120899.exe
        5⤵
        Executes dropped EXE
        
        PID:1736
- - C:\Users\Admin\AppData\Local\Temp\tmp7118325.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7118325.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Users\Admin\AppData\Local\Temp\tmp7119105.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7119105.exe
      4⤵
      Executes dropped EXE
      PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\tmp7119511.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7119511.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:472
    - - C:\Users\Admin\AppData\Local\Temp\tmp7119994.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119994.exe
        5⤵
        Executes dropped EXE
        
        PID:1912
    - - C:\Users\Admin\AppData\Local\Temp\tmp7120213.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120213.exe
        5⤵
        Executes dropped EXE
        
        PID:928

C:\Users\Admin\AppData\Local\Temp\tmp7230927.exe
C:\Users\Admin\AppData\Local\Temp\tmp7230927.exe
1⤵
PID:1596
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\tmp7232237.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7232237.exe
    3⤵
    PID:1600
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:108
- - C:\Users\Admin\AppData\Local\Temp\tmp7232315.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7232315.exe
    3⤵
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\tmp7232440.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7232440.exe
      4⤵
      PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\tmp7233532.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7233532.exe
      4⤵
      PID:1568

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1592
- C:\Users\Admin\AppData\Local\Temp\tmp7234546.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7234546.exe
  2⤵
  PID:1232
- C:\Users\Admin\AppData\Local\Temp\tmp7235107.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7235107.exe
  2⤵
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\tmp7236589.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7236589.exe
    3⤵
    PID:1468
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:2044
    - - C:\Users\Admin\AppData\Local\Temp\tmp7256417.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7256417.exe
        5⤵
        
        PID:1720
- - C:\Users\Admin\AppData\Local\Temp\tmp7237276.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7237276.exe
    3⤵
    PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7116235.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7116453.exe

Filesize
470KB

MD5
445e69fdab59983dd16d8b6a883250fd

SHA1
60868b848296c467aa8963263ca7d85e3786e57e

SHA256
aadd8c840d64d9dffb1af59bdbbfecd6fb5e8b68eb7070b2ac1cb2c33f01898d

SHA512
14d99b4f1c55326861b64d63259cd62fb6a12ce49dfc1cc48c181645334812db95615fdfd5632f5049bed975b9eaf2403005389c492e6b747408c3e31f33a904

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7116453.exe

Filesize
470KB

MD5
445e69fdab59983dd16d8b6a883250fd

SHA1
60868b848296c467aa8963263ca7d85e3786e57e

SHA256
aadd8c840d64d9dffb1af59bdbbfecd6fb5e8b68eb7070b2ac1cb2c33f01898d

SHA512
14d99b4f1c55326861b64d63259cd62fb6a12ce49dfc1cc48c181645334812db95615fdfd5632f5049bed975b9eaf2403005389c492e6b747408c3e31f33a904

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7116765.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7116765.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7118325.exe

Filesize
335KB

MD5
5a9c79aa36b764c745b177eca44ffc38

SHA1
698fc30a496cdb13d820e82ef2eded5b31fc4d39

SHA256
6331de09ae2ca9deef3b73c30c797220defce425fb89c3109a9d7ce7704c18d1

SHA512
6939ac545d3675c15d42cad54675d9c986891ab026aac9ef5e7167d3e509fe4ad895a417e5c3c05613eed6ccd1bf19ebbff0fe710ae2e73eb912b421065ca845

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7118325.exe

Filesize
335KB

MD5
5a9c79aa36b764c745b177eca44ffc38

SHA1
698fc30a496cdb13d820e82ef2eded5b31fc4d39

SHA256
6331de09ae2ca9deef3b73c30c797220defce425fb89c3109a9d7ce7704c18d1

SHA512
6939ac545d3675c15d42cad54675d9c986891ab026aac9ef5e7167d3e509fe4ad895a417e5c3c05613eed6ccd1bf19ebbff0fe710ae2e73eb912b421065ca845

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7119105.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7119511.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7119511.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7119994.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7120213.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7120712.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7120712.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7120899.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121227.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121227.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121352.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121461.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121461.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
80dde3d324b6127cf7956804d4c88f6b

SHA1
708c136be7d876947f517ca84eef9607d5054e50

SHA256
90f5f93586efea8a89a3b1b9352d60991aea9a2563c9791eb1e14258d9fcf5d5

SHA512
33a398d8bdadaadf8da320605d0a23c351b5196c58395d329065e61a9bc276b454f9934873831419063b0192ff72dadea0556e3ec01857700a36f5155ff87d01

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
80dde3d324b6127cf7956804d4c88f6b

SHA1
708c136be7d876947f517ca84eef9607d5054e50

SHA256
90f5f93586efea8a89a3b1b9352d60991aea9a2563c9791eb1e14258d9fcf5d5

SHA512
33a398d8bdadaadf8da320605d0a23c351b5196c58395d329065e61a9bc276b454f9934873831419063b0192ff72dadea0556e3ec01857700a36f5155ff87d01

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7116235.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7116235.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7116453.exe

Filesize
470KB

MD5
445e69fdab59983dd16d8b6a883250fd

SHA1
60868b848296c467aa8963263ca7d85e3786e57e

SHA256
aadd8c840d64d9dffb1af59bdbbfecd6fb5e8b68eb7070b2ac1cb2c33f01898d

SHA512
14d99b4f1c55326861b64d63259cd62fb6a12ce49dfc1cc48c181645334812db95615fdfd5632f5049bed975b9eaf2403005389c492e6b747408c3e31f33a904

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7116453.exe

Filesize
470KB

MD5
445e69fdab59983dd16d8b6a883250fd

SHA1
60868b848296c467aa8963263ca7d85e3786e57e

SHA256
aadd8c840d64d9dffb1af59bdbbfecd6fb5e8b68eb7070b2ac1cb2c33f01898d

SHA512
14d99b4f1c55326861b64d63259cd62fb6a12ce49dfc1cc48c181645334812db95615fdfd5632f5049bed975b9eaf2403005389c492e6b747408c3e31f33a904

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7116765.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7116765.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7118325.exe

Filesize
335KB

MD5
5a9c79aa36b764c745b177eca44ffc38

SHA1
698fc30a496cdb13d820e82ef2eded5b31fc4d39

SHA256
6331de09ae2ca9deef3b73c30c797220defce425fb89c3109a9d7ce7704c18d1

SHA512
6939ac545d3675c15d42cad54675d9c986891ab026aac9ef5e7167d3e509fe4ad895a417e5c3c05613eed6ccd1bf19ebbff0fe710ae2e73eb912b421065ca845

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7118325.exe

Filesize
335KB

MD5
5a9c79aa36b764c745b177eca44ffc38

SHA1
698fc30a496cdb13d820e82ef2eded5b31fc4d39

SHA256
6331de09ae2ca9deef3b73c30c797220defce425fb89c3109a9d7ce7704c18d1

SHA512
6939ac545d3675c15d42cad54675d9c986891ab026aac9ef5e7167d3e509fe4ad895a417e5c3c05613eed6ccd1bf19ebbff0fe710ae2e73eb912b421065ca845

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7119105.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7119105.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7119511.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7119511.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7119994.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7119994.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7120213.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7120213.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7120712.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7120712.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7120899.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121227.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121227.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121352.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121461.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121461.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121539.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
memory/320-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/336-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/472-102-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/544-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/708-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/808-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/888-121-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/896-90-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/896-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/916-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/916-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/916-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/920-320-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/920-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/920-215-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/920-141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/920-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/964-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/964-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/976-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1020-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1032-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1056-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1152-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1220-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1232-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1264-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1272-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1272-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1272-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1360-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1404-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1468-263-0x00000000022A0000-0x00000000022AD000-memory.dmp

Filesize
52KB

Download
memory/1480-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1504-200-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1520-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1520-78-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1572-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1600-226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1608-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1608-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1628-59-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1640-158-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-159-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1688-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1704-156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1704-166-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1716-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1768-189-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2016-326-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2024-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2044-66-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/2044-65-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/2044-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2044-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download