6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

Analysis

max time kernel
147s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe
Size

269KB
MD5

52c30e5069632251e223731b54da4000
SHA1

d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd
SHA256

6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec
SHA512

b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5
SSDEEP

6144:oftdcNdPYNSDyDIkFthptNSDyDIkFthphNSDyDRO1thp:bdPcSDyTFtjXSDyTFtjrSDyo1tj

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1132	notpad.exe
704	tmp7103989.exe
880	tmp7104285.exe
1596	notpad.exe
1752	tmp7104613.exe
828	tmp7104956.exe
1292	notpad.exe
1872	tmp7105907.exe
984	tmp7106048.exe
1276	notpad.exe
1996	tmp7106251.exe
1980	tmp7106485.exe
1508	notpad.exe
832	tmp7106843.exe
1332	notpad.exe
1164	tmp7106968.exe
308	tmp7107109.exe
572	notpad.exe
1640	tmp7107343.exe
628	notpad.exe
1000	tmp7107920.exe
1712	tmp7108388.exe
1768	notpad.exe
1680	tmp7108715.exe
704	notpad.exe
1548	tmp7109324.exe
1544	notpad.exe
1336	tmp7109199.exe
1560	tmp7109449.exe
1752	tmp7109527.exe
872	notpad.exe
760	tmp7109807.exe
1772	tmp7109948.exe
992	tmp7110213.exe
584	notpad.exe
1324	tmp7110478.exe
1572	tmp7110759.exe
1244	notpad.exe
1200	tmp7110884.exe
1964	tmp7111087.exe
1436	notpad.exe
1656	tmp7111289.exe
1776	tmp7111679.exe
1508	notpad.exe
304	tmp7113021.exe
2028	tmp7113115.exe
2044	notpad.exe
1812	tmp7113271.exe
308	tmp7113614.exe
1332	tmp7113442.exe
288	notpad.exe
1056	tmp7114035.exe
1088	notpad.exe
1124	tmp7114378.exe
1988	tmp7113957.exe
1664	tmp7114612.exe
1668	tmp7114721.exe
1116	tmp7115408.exe
452	notpad.exe
1556	tmp7115049.exe
1592	notpad.exe
1336	tmp7115626.exe
856	tmp7115065.exe
800	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122e8-55.dat	upx
behavioral1/files/0x000a0000000122e8-56.dat	upx
behavioral1/files/0x000a0000000122e8-58.dat	upx
behavioral1/files/0x000a0000000122e8-59.dat	upx
behavioral1/memory/1132-67-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1132-72-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-69.dat	upx
behavioral1/files/0x000a0000000122e8-73.dat	upx
behavioral1/files/0x000a0000000122e8-76.dat	upx
behavioral1/files/0x000a0000000122e8-74.dat	upx
behavioral1/files/0x0007000000005c50-83.dat	upx
behavioral1/memory/1596-90-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a0000000122e8-91.dat	upx
behavioral1/files/0x000a0000000122e8-92.dat	upx
behavioral1/files/0x000a0000000122e8-94.dat	upx
behavioral1/files/0x0007000000005c50-100.dat	upx
behavioral1/memory/1292-105-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a0000000122e8-107.dat	upx
behavioral1/files/0x000a0000000122e8-111.dat	upx
behavioral1/files/0x000a0000000122e8-106.dat	upx
behavioral1/memory/1292-113-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-120.dat	upx
behavioral1/files/0x000a0000000122e8-127.dat	upx
behavioral1/files/0x000a0000000122e8-130.dat	upx
behavioral1/memory/1276-126-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000a0000000122e8-125.dat	upx
behavioral1/files/0x000a0000000122e8-144.dat	upx
behavioral1/files/0x000a0000000122e8-142.dat	upx
behavioral1/files/0x000a0000000122e8-141.dat	upx
behavioral1/memory/1508-146-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-137.dat	upx
behavioral1/files/0x0007000000005c50-153.dat	upx
behavioral1/memory/1332-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/572-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/628-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/628-167-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1768-179-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/704-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1544-182-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/704-183-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1544-191-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/872-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/584-201-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1244-207-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1436-208-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1436-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1508-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/304-219-0x0000000002060000-0x000000000207F000-memory.dmp	upx
behavioral1/memory/2028-221-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2028-228-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/288-234-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2044-236-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1088-238-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1988-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1124-240-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1124-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1088-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/452-257-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1988-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/800-262-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/856-264-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1592-265-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/696-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/800-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
288	6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe
288	6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe
1132	notpad.exe
1132	notpad.exe
1132	notpad.exe
704	tmp7103989.exe
704	tmp7103989.exe
1596	notpad.exe
1596	notpad.exe
1596	notpad.exe
1752	tmp7104613.exe
1752	tmp7104613.exe
1292	notpad.exe
1292	notpad.exe
1292	notpad.exe
1872	tmp7105907.exe
1872	tmp7105907.exe
1276	notpad.exe
1276	notpad.exe
1276	notpad.exe
1996	tmp7106251.exe
1996	tmp7106251.exe
1508	notpad.exe
1508	notpad.exe
1508	notpad.exe
832	tmp7106843.exe
832	tmp7106843.exe
1332	notpad.exe
1332	notpad.exe
308	tmp7107109.exe
308	tmp7107109.exe
1332	notpad.exe
1088	tmp7107561.exe
1088	tmp7107561.exe
628	notpad.exe
628	notpad.exe
628	notpad.exe
1000	tmp7107920.exe
1000	tmp7107920.exe
1768	notpad.exe
1768	notpad.exe
1680	tmp7108715.exe
1680	tmp7108715.exe
704	notpad.exe
704	notpad.exe
1548	tmp7109324.exe
1548	tmp7109324.exe
1768	notpad.exe
704	notpad.exe
1544	notpad.exe
1544	notpad.exe
1752	tmp7109527.exe
1752	tmp7109527.exe
1544	notpad.exe
872	notpad.exe
872	notpad.exe
872	notpad.exe
1772	tmp7109948.exe
1772	tmp7109948.exe
584	notpad.exe
584	notpad.exe
1324	tmp7110478.exe
584	notpad.exe
1324	tmp7110478.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7131289.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7142989.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7180819.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7210444.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7120494.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7121040.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7124409.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7131289.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7227697.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7104613.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7144393.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7144954.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7164657.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7122350.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7131226.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7185421.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7130150.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7142989.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7173690.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7247354.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7243516.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7118356.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7131289.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7155204.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7156935.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7119651.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7217542.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7232455.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7109324.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7111289.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7240053.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7183378.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7119370.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7106251.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7114612.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7115626.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7117296.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7167637.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7232455.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7135813.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7139276.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7181334.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7234390.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7107920.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7111289.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7115049.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7131429.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7142989.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7168526.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7195140.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7106843.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7107920.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7114612.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7134128.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7122350.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7132381.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7141694.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7150259.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7104613.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7107109.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7118700.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7122210.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7183378.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7196887.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7120696.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7121523.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7144393.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7168526.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7183378.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7109324.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7115049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7130150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7149182.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7160523.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7227697.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7105907.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7185421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7188916.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7155204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7180819.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7173690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7121476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7151741.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7208603.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7103989.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7196887.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7115626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7117296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126749.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104613.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7107109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7141694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7129027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7150259.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7193128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7139276.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7113271.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7186981.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7206434.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7232455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7243516.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7119370.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7130992.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7132381.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7238430.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7181334.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7229694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7115954.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7123926.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7107920.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7113021.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7131289.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7131960.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7110478.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7153691.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7210444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147965.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7142989.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7164657.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7132147.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7134128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7131226.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7109948.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7196357.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7118700.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7175063.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 1132	288	6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe	26
PID 288 wrote to memory of 1132	288	6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe	26
PID 288 wrote to memory of 1132	288	6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe	26
PID 288 wrote to memory of 1132	288	6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe	26
PID 1132 wrote to memory of 704	1132	notpad.exe	27
PID 1132 wrote to memory of 704	1132	notpad.exe	27
PID 1132 wrote to memory of 704	1132	notpad.exe	27
PID 1132 wrote to memory of 704	1132	notpad.exe	27
PID 1132 wrote to memory of 880	1132	notpad.exe	28
PID 1132 wrote to memory of 880	1132	notpad.exe	28
PID 1132 wrote to memory of 880	1132	notpad.exe	28
PID 1132 wrote to memory of 880	1132	notpad.exe	28
PID 704 wrote to memory of 1596	704	tmp7103989.exe	29
PID 704 wrote to memory of 1596	704	tmp7103989.exe	29
PID 704 wrote to memory of 1596	704	tmp7103989.exe	29
PID 704 wrote to memory of 1596	704	tmp7103989.exe	29
PID 1596 wrote to memory of 1752	1596	notpad.exe	30
PID 1596 wrote to memory of 1752	1596	notpad.exe	30
PID 1596 wrote to memory of 1752	1596	notpad.exe	30
PID 1596 wrote to memory of 1752	1596	notpad.exe	30
PID 1596 wrote to memory of 828	1596	notpad.exe	31
PID 1596 wrote to memory of 828	1596	notpad.exe	31
PID 1596 wrote to memory of 828	1596	notpad.exe	31
PID 1596 wrote to memory of 828	1596	notpad.exe	31
PID 1752 wrote to memory of 1292	1752	tmp7104613.exe	32
PID 1752 wrote to memory of 1292	1752	tmp7104613.exe	32
PID 1752 wrote to memory of 1292	1752	tmp7104613.exe	32
PID 1752 wrote to memory of 1292	1752	tmp7104613.exe	32
PID 1292 wrote to memory of 1872	1292	notpad.exe	33
PID 1292 wrote to memory of 1872	1292	notpad.exe	33
PID 1292 wrote to memory of 1872	1292	notpad.exe	33
PID 1292 wrote to memory of 1872	1292	notpad.exe	33
PID 1292 wrote to memory of 984	1292	notpad.exe	35
PID 1292 wrote to memory of 984	1292	notpad.exe	35
PID 1292 wrote to memory of 984	1292	notpad.exe	35
PID 1292 wrote to memory of 984	1292	notpad.exe	35
PID 1872 wrote to memory of 1276	1872	tmp7105907.exe	34
PID 1872 wrote to memory of 1276	1872	tmp7105907.exe	34
PID 1872 wrote to memory of 1276	1872	tmp7105907.exe	34
PID 1872 wrote to memory of 1276	1872	tmp7105907.exe	34
PID 1276 wrote to memory of 1996	1276	notpad.exe	36
PID 1276 wrote to memory of 1996	1276	notpad.exe	36
PID 1276 wrote to memory of 1996	1276	notpad.exe	36
PID 1276 wrote to memory of 1996	1276	notpad.exe	36
PID 1276 wrote to memory of 1980	1276	notpad.exe	37
PID 1276 wrote to memory of 1980	1276	notpad.exe	37
PID 1276 wrote to memory of 1980	1276	notpad.exe	37
PID 1276 wrote to memory of 1980	1276	notpad.exe	37
PID 1996 wrote to memory of 1508	1996	tmp7106251.exe	38
PID 1996 wrote to memory of 1508	1996	tmp7106251.exe	38
PID 1996 wrote to memory of 1508	1996	tmp7106251.exe	38
PID 1996 wrote to memory of 1508	1996	tmp7106251.exe	38
PID 1508 wrote to memory of 832	1508	notpad.exe	39
PID 1508 wrote to memory of 832	1508	notpad.exe	39
PID 1508 wrote to memory of 832	1508	notpad.exe	39
PID 1508 wrote to memory of 832	1508	notpad.exe	39
PID 1508 wrote to memory of 1164	1508	notpad.exe	40
PID 1508 wrote to memory of 1164	1508	notpad.exe	40
PID 1508 wrote to memory of 1164	1508	notpad.exe	40
PID 1508 wrote to memory of 1164	1508	notpad.exe	40
PID 832 wrote to memory of 1332	832	tmp7106843.exe	41
PID 832 wrote to memory of 1332	832	tmp7106843.exe	41
PID 832 wrote to memory of 1332	832	tmp7106843.exe	41
PID 832 wrote to memory of 1332	832	tmp7106843.exe	41

C:\Users\Admin\AppData\Local\Temp\6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe
"C:\Users\Admin\AppData\Local\Temp\6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Local\Temp\tmp7103989.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7103989.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\tmp7104613.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104613.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105907.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105907.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106251.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106251.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106843.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107109.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107561.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107561.exe
        15⤵
        Loads dropped DLL
        
        PID:1088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107920.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107920.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108715.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108715.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109324.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109324.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109527.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109527.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109948.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109948.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110478.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110478.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        Executes dropped EXE
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110884.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110884.exe
        29⤵
        Executes dropped EXE
        
        PID:1200
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        Executes dropped EXE
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111289.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111289.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113021.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113021.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113442.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113442.exe
        35⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113957.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113957.exe
        35⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115049.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115049.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115954.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115954.exe
        38⤵
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117920.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117920.exe
        40⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117935.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117935.exe
        40⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118356.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118356.exe
        41⤵
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118840.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118840.exe
        43⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119386.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119386.exe
        43⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120119.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120119.exe
        44⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120228.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120228.exe
        44⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118684.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118684.exe
        41⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117062.exe
        38⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117764.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117764.exe
        39⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117966.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117966.exe
        39⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115751.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115751.exe
        36⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113115.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113115.exe
        33⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113271.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113271.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        Executes dropped EXE
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114035.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114035.exe
        36⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114612.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114612.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115626.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115626.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116172.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116172.exe
        42⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116734.exe
        42⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117296.exe
        43⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118169.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118169.exe
        45⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118372.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118372.exe
        45⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118700.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118700.exe
        46⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119495.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119495.exe
        48⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119651.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119651.exe
        50⤵
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120696.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120696.exe
        52⤵
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121476.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121476.exe
        54⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122022.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122022.exe
        54⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122412.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122412.exe
        55⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124362.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124362.exe
        55⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121024.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121024.exe
        52⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121476.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121476.exe
        53⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121882.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121882.exe
        53⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120166.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120166.exe
        50⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120634.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120634.exe
        51⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121320.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121320.exe
        51⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119511.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119511.exe
        48⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119948.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119948.exe
        49⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120416.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120416.exe
        49⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119027.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119027.exe
        46⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117873.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117873.exe
        43⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115970.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115970.exe
        40⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116781.exe
        41⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117077.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117077.exe
        41⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115065.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115065.exe
        38⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116094.exe
        39⤵
        
        PID:960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117093.exe
        41⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117732.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117732.exe
        41⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118013.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118013.exe
        42⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118559.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118559.exe
        44⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118731.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118731.exe
        44⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119370.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119370.exe
        45⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120494.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120494.exe
        47⤵
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120993.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120993.exe
        49⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121289.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121289.exe
        49⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121523.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121523.exe
        50⤵
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121851.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121851.exe
        52⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122100.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122100.exe
        52⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122974.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122974.exe
        53⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124378.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124378.exe
        53⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121773.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121773.exe
        50⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120852.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120852.exe
        47⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121040.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121040.exe
        48⤵
        Drops file in System32 directory
        
        PID:1276
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121710.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121710.exe
        50⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122054.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122054.exe
        50⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122319.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122319.exe
        51⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126406.exe
        51⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121476.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121476.exe
        48⤵
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122210.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122210.exe
        50⤵
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123926.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123926.exe
        52⤵
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127311.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127311.exe
        54⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128777.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128777.exe
        54⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129198.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129198.exe
        55⤵
        
        PID:268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130540.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130540.exe
        57⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130571.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130571.exe
        57⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131226.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131226.exe
        58⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131960.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131960.exe
        60⤵
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133785.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133785.exe
        62⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134144.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134144.exe
        62⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136967.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136967.exe
        63⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138995.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138995.exe
        63⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132365.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132365.exe
        60⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134128.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134128.exe
        61⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138153.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138153.exe
        63⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138917.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138917.exe
        63⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140602.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140602.exe
        64⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141803.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141803.exe
        64⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134877.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134877.exe
        61⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131726.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131726.exe
        58⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129822.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129822.exe
        55⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124347.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124347.exe
        52⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126749.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126749.exe
        53⤵
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129105.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129105.exe
        55⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129604.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129604.exe
        55⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130150.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130150.exe
        56⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131008.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131008.exe
        58⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131289.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131289.exe
        59⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131601.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131601.exe
        61⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131710.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131710.exe
        61⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132334.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132334.exe
        62⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133504.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133504.exe
        62⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131414.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131414.exe
        59⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130259.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130259.exe
        56⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128715.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128715.exe
        53⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122241.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122241.exe
        50⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122350.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122350.exe
        51⤵
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124409.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124409.exe
        53⤵
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128824.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128824.exe
        55⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128918.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128918.exe
        55⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129214.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129214.exe
        56⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129838.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129838.exe
        56⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128028.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128028.exe
        53⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129027.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129027.exe
        54⤵
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129760.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129760.exe
        56⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130134.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130134.exe
        56⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130556.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130556.exe
        57⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130431.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130431.exe
        57⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123910.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123910.exe
        51⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120072.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120072.exe
        45⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118278.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118278.exe
        42⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116235.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116235.exe
        39⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114378.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114378.exe
        36⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114721.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114721.exe
        37⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115408.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115408.exe
        37⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113614.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113614.exe
        34⤵
        Executes dropped EXE
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111679.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111679.exe
        31⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111087.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7111087.exe
        29⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110759.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110759.exe
        27⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110213.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110213.exe
        25⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109807.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109807.exe
        23⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109449.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109449.exe
        21⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109199.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109199.exe
        19⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108388.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108388.exe
        17⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107717.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107717.exe
        15⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107343.exe
        13⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106968.exe
        11⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106485.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106485.exe
        9⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106048.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106048.exe
        7⤵
        Executes dropped EXE
        
        PID:984
    - - C:\Users\Admin\AppData\Local\Temp\tmp7104956.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104956.exe
        5⤵
        Executes dropped EXE
        
        PID:828
- - C:\Users\Admin\AppData\Local\Temp\tmp7104285.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7104285.exe
    3⤵
    - Executes dropped EXE
    PID:880

C:\Users\Admin\AppData\Local\Temp\tmp7130992.exe
C:\Users\Admin\AppData\Local\Temp\tmp7130992.exe
1⤵
- Modifies registry class
PID:1116
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1012
- - C:\Users\Admin\AppData\Local\Temp\tmp7131429.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7131429.exe
    3⤵
    - Drops file in System32 directory
    PID:1652
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\tmp7132147.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132147.exe
        5⤵
        Modifies registry class
        
        PID:108
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132599.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132599.exe
        7⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134159.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134159.exe
        7⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135813.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135813.exe
        8⤵
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140072.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140072.exe
        10⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140633.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140633.exe
        10⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141694.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141694.exe
        11⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143597.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143597.exe
        13⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143956.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143956.exe
        13⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144393.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144393.exe
        14⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145266.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145266.exe
        16⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145656.exe
        16⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146296.exe
        17⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146936.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146936.exe
        17⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144486.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144486.exe
        14⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142240.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142240.exe
        11⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138324.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138324.exe
        8⤵
        
        PID:832
    - - C:\Users\Admin\AppData\Local\Temp\tmp7132209.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132209.exe
        5⤵
        
        PID:1132
      - C:\Users\Admin\AppData\Local\Temp\tmp7133754.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133754.exe
        6⤵
        
        PID:1320
      - C:\Users\Admin\AppData\Local\Temp\tmp7136421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136421.exe
        6⤵
        
        PID:1176
- - C:\Users\Admin\AppData\Local\Temp\tmp7131944.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7131944.exe
    3⤵
    PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\tmp7132381.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7132381.exe
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:1292
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:844
      - C:\Users\Admin\AppData\Local\Temp\tmp7135204.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135204.exe
        6⤵
        
        PID:1668
      - C:\Users\Admin\AppData\Local\Temp\tmp7136811.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136811.exe
        6⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139276.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139276.exe
        7⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142193.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142193.exe
        9⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142287.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142287.exe
        9⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142989.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142989.exe
        10⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143784.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143784.exe
        12⤵
        
        PID:972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144954.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144954.exe
        14⤵
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146156.exe
        16⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147965.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147965.exe
        18⤵
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149323.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149323.exe
        20⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149915.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149915.exe
        20⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150633.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150633.exe
        21⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150867.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150867.exe
        21⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148761.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148761.exe
        18⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149182.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149182.exe
        19⤵
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150259.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150259.exe
        21⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151741.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151741.exe
        23⤵
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153691.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153691.exe
        25⤵
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155188.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155188.exe
        27⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156015.exe
        27⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156935.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156935.exe
        28⤵
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158683.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158683.exe
        30⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159915.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159915.exe
        30⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161350.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161350.exe
        31⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162115.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162115.exe
        31⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157669.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157669.exe
        28⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154502.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154502.exe
        25⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155204.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155204.exe
        26⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158433.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158433.exe
        28⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160523.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160523.exe
        30⤵
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164657.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164657.exe
        32⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168526.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168526.exe
        34⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171209.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171209.exe
        36⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175063.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175063.exe
        38⤵
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178822.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178822.exe
        40⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179992.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179992.exe
        40⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180819.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180819.exe
        41⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182442.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182442.exe
        43⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183050.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183050.exe
        43⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183378.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183378.exe
        44⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185421.exe
        46⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187324.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187324.exe
        48⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188354.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188354.exe
        48⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189399.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189399.exe
        49⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190070.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190070.exe
        49⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186342.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186342.exe
        46⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186981.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186981.exe
        47⤵
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188916.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188916.exe
        49⤵
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190912.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190912.exe
        51⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192316.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192316.exe
        51⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193128.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193128.exe
        52⤵
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195312.exe
        54⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197074.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197074.exe
        56⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201037.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201037.exe
        56⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206434.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206434.exe
        57⤵
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209087.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209087.exe
        59⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211068.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211068.exe
        59⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214515.exe
        60⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217214.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217214.exe
        60⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206840.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206840.exe
        57⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196029.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196029.exe
        54⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196887.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196887.exe
        55⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207308.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207308.exe
        57⤵
        
        PID:800
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210444.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210444.exe
        59⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216325.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216325.exe
        61⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218852.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218852.exe
        61⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221988.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221988.exe
        62⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223626.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223626.exe
        62⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214469.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214469.exe
        59⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217495.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217495.exe
        60⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220943.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220943.exe
        60⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208244.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208244.exe
        57⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209180.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209180.exe
        58⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211099.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211099.exe
        58⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199539.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199539.exe
        55⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194578.exe
        52⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189976.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189976.exe
        49⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191193.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191193.exe
        50⤵
        
        PID:844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195140.exe
        52⤵
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196248.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196248.exe
        54⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196825.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196825.exe
        54⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198697.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198697.exe
        55⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203205.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203205.exe
        55⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195655.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195655.exe
        52⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196357.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196357.exe
        53⤵
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204625.exe
        55⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207261.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207261.exe
        55⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208603.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208603.exe
        56⤵
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214328.exe
        58⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219133.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219133.exe
        60⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227744.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227744.exe
        62⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228555.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228555.exe
        62⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229694.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229694.exe
        63⤵
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232455.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232455.exe
        65⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234936.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234936.exe
        67⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235856.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235856.exe
        67⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236699.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236699.exe
        68⤵
        
        PID:928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238789.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238789.exe
        70⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239569.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239569.exe
        70⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241332.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241332.exe
        71⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7242549.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7242549.exe
        71⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237198.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237198.exe
        68⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233360.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233360.exe
        65⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234390.exe
        66⤵
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        67⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236917.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236917.exe
        68⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237541.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237541.exe
        68⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238430.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238430.exe
        69⤵
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240053.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240053.exe
        71⤵
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243516.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243516.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7245887.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7245887.exe
        75⤵
        
        PID:912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247354.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247354.exe
        77⤵
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        78⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248929.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248929.exe
        79⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        80⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250286.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7250286.exe
        79⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247946.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247946.exe
        77⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7249772.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7249772.exe
        78⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246496.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246496.exe
        75⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247276.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247276.exe
        76⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248040.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7248040.exe
        76⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244234.exe
        73⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246184.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246184.exe
        74⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246870.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246870.exe
        74⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7242081.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7242081.exe
        71⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243235.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243235.exe
        72⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244109.exe
        72⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239117.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239117.exe
        69⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235451.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235451.exe
        66⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230693.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230693.exe
        63⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223922.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223922.exe
        60⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227697.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227697.exe
        61⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230100.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230100.exe
        63⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231831.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231831.exe
        63⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233313.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233313.exe
        64⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233859.exe
        64⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228462.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228462.exe
        61⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215358.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215358.exe
        58⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217542.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217542.exe
        59⤵
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224733.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224733.exe
        61⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227307.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227307.exe
        61⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228602.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228602.exe
        62⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230708.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230708.exe
        62⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221083.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221083.exe
        59⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210413.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210413.exe
        56⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197028.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7197028.exe
        53⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192363.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192363.exe
        50⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187730.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187730.exe
        47⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184454.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184454.exe
        44⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181693.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181693.exe
        41⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175671.exe
        38⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177387.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177387.exe
        39⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177652.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177652.exe
        39⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171428.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171428.exe
        36⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173690.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173690.exe
        37⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176919.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176919.exe
        39⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177668.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177668.exe
        39⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178869.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178869.exe
        40⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181334.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181334.exe
        42⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183721.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183721.exe
        44⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184610.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184610.exe
        44⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185452.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185452.exe
        45⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186420.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186420.exe
        45⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182738.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182738.exe
        42⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183768.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183768.exe
        43⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184548.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184548.exe
        43⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179946.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179946.exe
        40⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175094.exe
        37⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169415.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169415.exe
        34⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172379.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172379.exe
        35⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174797.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174797.exe
        35⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165952.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165952.exe
        32⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167637.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167637.exe
        33⤵
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169462.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169462.exe
        35⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170086.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170086.exe
        35⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171506.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171506.exe
        36⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173643.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173643.exe
        36⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168791.exe
        33⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162052.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162052.exe
        30⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164782.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164782.exe
        31⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166685.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166685.exe
        31⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159057.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159057.exe
        28⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160945.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160945.exe
        29⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161849.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161849.exe
        29⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155609.exe
        26⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152177.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152177.exe
        23⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154205.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154205.exe
        24⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154876.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154876.exe
        24⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150508.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150508.exe
        21⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152006.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152006.exe
        22⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151460.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151460.exe
        22⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149697.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149697.exe
        19⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146842.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146842.exe
        16⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148277.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148277.exe
        17⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148777.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148777.exe
        17⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145298.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145298.exe
        14⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145875.exe
        15⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146858.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146858.exe
        15⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144112.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144112.exe
        12⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144705.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144705.exe
        13⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145532.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145532.exe
        13⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143332.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143332.exe
        10⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140477.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140477.exe
        7⤵
        
        PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\tmp7133878.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7133878.exe
      4⤵
      PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7103989.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7103989.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7104285.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7104613.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7104613.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7104956.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7105907.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7105907.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7106048.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7106251.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7106251.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7106485.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7106843.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7106843.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7106968.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7107109.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7107109.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
c0a76f46a9985cab4ddca1463fbc8b9b

SHA1
76dc14c6125883ca6e48e19f7ea0aa7719c9ee43

SHA256
a0428ea5a3c9fc1c1926bee75680aa7e509200371347ec790757b0f0d86853f7

SHA512
20038c7dada84e13537d58011dc5988faa16c39716ccc153c9e4ccdada89d75f8b41d703c735579dc9131f427098f07af7977f3e9ec60ccb876ec4f2ee6f5b1e

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7103989.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7103989.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7104285.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7104613.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7104613.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7104956.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7105907.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7105907.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7106048.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7106251.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7106251.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7106485.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7106843.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7106843.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7106968.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7107109.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7107109.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
455KB

MD5
cfa6225b972bbae446cd83e5f83be976

SHA1
1b5c34c554764f14310178a9e76b5a160537c34b

SHA256
95d2d0e75fbf4975c66b9f100738433a6beced10097db07036e337114424e2dd

SHA512
8e62cc9903547917f8effa497c449897af44333ee61c0c60584595439a9de55a9eca47d17ad91973768b547ed2051cd60251b5c2109965205e14216a70aaf399

Download Submit
memory/288-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/288-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/288-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/288-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/304-219-0x0000000002060000-0x000000000207F000-memory.dmp

Filesize
124KB

Download
memory/452-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/532-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/544-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/572-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/584-201-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/584-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/628-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/628-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/696-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/696-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/704-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/704-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/704-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/800-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/800-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/840-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/856-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/872-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/872-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/960-263-0x0000000000380000-0x000000000039F000-memory.dmp

Filesize
124KB

Download
memory/1048-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1048-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1088-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1088-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1124-240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1124-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1132-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1132-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1136-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1136-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1160-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1244-207-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1276-126-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1292-113-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1292-105-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1332-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1348-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1436-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1436-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1452-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1508-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1508-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1544-191-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1544-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1564-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1592-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1592-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1596-90-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1768-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1792-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1832-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1848-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1872-112-0x00000000006C0000-0x00000000006CD000-memory.dmp

Filesize
52KB

Download
memory/1988-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1996-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-228-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-221-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2044-236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download